a blog by Sander Berkouwer

Sometimes, error codes for Microsoft products and technologies are really straightforward. Especially in situations where you have limited to no troubleshooting options, like the Windows Out-of-the-Box Experience (OOBE), this might prove difficult to solve.

Today, let’s look at one of the most common errors you might encounter when you try to Azure AD Join a Windows 10-based device:

The situation

For any organization using an Azure Active Directory tenant, Azure AD Join is enabled by default. This functionality allows your users to designate the Windows installation on devices they trust, as trusted device for single sign-on (SSO). The only thing these users, by default, need is a user object in Azure Active Directory.

Windows 10 offers two built-in methods for users to join their devices to Azure AD:

In the Out-of-the-Box Experience (OOBE)

In the Settings app

In both situations, the user account used for the Azure AD Join gains local administrator privileges, as Azure AD Join is seen as a Bring Your Own Device (BYOD) scenario by Microsoft.

The error

When a person tries to register another Windows 10 device to Azure AD using their user account, he or she receives an error stating:

Something went wrong.

This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code 801c0003 (click for original screenshot)

The cause

The person receives the error, because he or she has reached the limit of maximum allowed devices to Azure AD Join.

By default, Azure Active Directory enforces a limit of 20 devices for any user object to join. It even enforces this limit on privileged users, like users with the Global Admin role.

This arbitrary value was chosen, because, by default, Azure AD-joined devices are not removed after an idle time-out. It closely resembles the default behavior of the 10-devices limit in Active Directory Domain Services (AD DS) for non-admins, but because Azure AD is at least twice as good as good ol’ AD DS, I guess the team settled on 20.

For organizations using Microsoft Intune and automatic device enrollment, the 20-device limit makes sense, because of the restrictions in licensed devices within Intune licenses assigned to users.

The solutions

As an admin, you can prevent the error from occurring in four separate ways:

Disable Azure AD Join

We encounter Azure AD usage like Azure AD Join in many organizations that have simply synchronized objects from Active Directory Domain Services to enable access to Office 365. Their admins would typically have chosen to use Express Settings with Azure AD Connect and go with Azure AD’s default settings, which results in the scenario where every user can use this functionality, but admin oversight.

Sign in with a user account in your Azure Active Directory tenant with at least Global Administrator privileges. Perform multi-factor authentication, when prompted.

In the left navigation pane, click Azure Active Directory.

In the new pane that emerges, click Devices.

In the Devices pane, click Device settings.

Select None for the switch labeled Users may join devices to Azure AD. This will apply to all Windows 10-based devices

Select None for the switch labeled Users may register their devices with Azure AD. This will also disable Azure-based Workplace Join for iOS and Android devices, as well as legacy Windows versions like Windows 7 and Windows 8.1.

Click Save.

Close the browser.

This way, as an admin, you don’t have to deal with these settings just yet. Note, however, that the above two switches do not apply to device synchronization in Azure AD Connect.

Make users join their own devices

In other organizations, admins may use their account to Azure AD join devices. This way, they circumvent the default BYOD behavior of local admin rights to the user account belonging to the person joining the device.

Indeed, the admin is the only person with local administrator rights on these devices, but it breaks the model in organizations that (later on decide to) implement Microsoft Intune.

Although every Microsoft feature, product and technology is used in ways that wasn’t envisioned by Microsoft, this is not a feature you want to abuse this way. When you want to leverage Azure AD Join, allow your users to join their devices using their user accounts.

Up the device limit

Of course, you can also up the Azure AD Join device limit. Follow these steps to do so:

Sign in with a user account in your Azure Active Directory tenant with
at least Global Administrator privileges. Perform multi-factor authentication,
when prompted.

In the left navigation pane, click Azure Active
Directory.

In the new pane that emerges, click Devices.

In the Devices pane, click Device
settings.

Select your favorite number for the value labeled Maximum number of devices per user. Values include 5, 10, 20 ,50, 100 and Unlimited.

Click Save.

Close the browser.

Delete some devices

Another way is to delete some of the devices from Azure AD for the person encountering the error. As there is no way for users to self-manage their Azure AD-joined device, you can channel your inner BOFH and delete some of the devices the person no longer needs(and their associated BitLocker recovery information).

Archives

Categories

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.